From owner-freebsd-security Tue Mar 12 14:50:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id C4EBA37B417; Tue, 12 Mar 2002 14:50:15 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.2/8.12.2) with ESMTP id g2CMnrnp035127; Tue, 12 Mar 2002 23:49:53 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: hackers@freebsd.org, security@freebsd.org Subject: Userland Hacker Task: divert socket listener... From: Poul-Henning Kamp Date: Tue, 12 Mar 2002 23:49:53 +0100 Message-ID: <35126.1015973393@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here is something I miss a lot: I would like a small program which can listen to a specified divert(4) socket and act on the incoming packets. Specifically I want to direct all unwanted trafic from my ipfw rules into the divert socket and have the program examine these packets and when configured thresholds were exceeded take actions like: Add a blackhole route for a period of time to the source IP to prevent any packets getting back to the attacker. Add a blocking ipfw rule for incoming trafic from the attackers IP# for some period of time. Add a divert ipfw rule for incoming trafic from the attackers IP# to capture all the tricks he is trying to do. Log the received packets in detail in pcap format files. Report the packets to Dshield.org etc. Any takers ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message